Skillset

This tutorial will guide you through the configuration of a zone-based policy firewall (ZBFW), which is a new way to configure a firewall on Cisco IOS. The advantage of using ZBFW is that the interfaces are applied to zones and the traffic inspected is that which moves between two zones. The policies applied to this kind of traffic are very flexible, providing the possibility of applying different actions to different hosts on the same interfaces.

configuring_zbpf_init.pkt contains the initial topology and configuration of the routers. The hosts (the PC and the SERVER) have full connectivity and no traffic is filtered.

configuring_zbpf_final.pkt is the final configuration; you should use this to compare what you configured and confirm that you did everything correctly.

Regarding the topology, on the subnets where a PC/SERVER is connected, the router’s interface has an IP address whose last octet is .1 and last octet of the PC’s IP address is .100. The default gateway of the PC is the router’s IP address.

For instance, on the subnet with PC_2, PC_2 has the IP address of 10.10.20.100/24 and R3’s interface IP address is 10.10.20.1/24.

Each router has a loopback address in the form of 1.1.1.X/32, where X is the router number. For instance, the loopback address of R3 is 1.1.1.3/32.

Also, each subnet between the routers is written on the topology and every router uses the last octet as its router number. For instance, on the subnet 10.10.12.0/24, R2 has 10.10.12.2/24 and R1 has 10.10.12.1/24.

All three routers are running OSPF in area 0 so that the end host and the server will have connectivity between them.

The goal of the simulator is to configure R3 so that it will allow traffic sent by PC_2 towards SERVER only if the traffic is initiated by PC_2.

We will consider the subnet 10.10.20.0/24 (the link between R3 and PC_2) as the internal network/secure network.

Task 1 requirements

Create an internal/inside zone.

Create an external/outside zone.

Create an access list to permit any kind of traffic sourced from subnet 10.10.20.0/24 to any destination.

Create a class map that will inspect all the traffic matched by the ACL defined at step C.

Create a policy map of type inspect that will decide what action will be applied to the class map defined at step D.

Specify the class map defined at step D and apply an inspect action.

Create a zone pair that will use the zone created at step A as source and as the zone created at step B as a destination.

Attach the policy map defined in step E to this zone pair.

Configure interface FastEthernet0/0 in the zone defined in step B.

Configure interface FastEthernet0/1 in the zone defined in step A.

Task 1 verification

Connect to PC_2 and, from the Desktop tab, choose “Command Prompt.” From there, issue a ping to 10.10.10.100. The ping should succeed.

Connect to SERVER and, from the Desktop tab, choose “Command Prompt.” From there, issue a ping to 10.10.20.100. The ping should fail.

While you ping SERVER from PC_2, use this command on R3 to see the established sessions. You should see something similar to this output:

Use the command “zone-pair security INSIDE-2-OUTSIDE-ZONE source INSIDE_ZONE destination OUTSIDE_ZONE” to create a zone pair and specify which zone will be the source and which zone will be the destination.

Use the command “service-policy type inspect INSIDE-2-OUTSIDE-POL-MAP” to attach the policy map to the zone pair.

Use the command “zone-member security OUTSIDE_ZONE” on F0/0 to mark the interface as part of the outside zone.

Use the command “zone-member security INSIDE_ZONE” on F0/1 to mark the interface as part of the inside zone.

As you can see, the zone-based firewall configuration is a complex one. You have to know the exact steps and they need to be configured in the right order. But if you analyze them, they seem very logical.

Paris Arau is a network engineer with extensive knowledge of Cisco and Juniper routing and switching platforms. He is CCIE R&S and dual JNCIE(SP and ENT). With a strong service provider and enterprise background, he is working on a daily basis with cutting-edge technologies. He also writes about routing and switching technologies, cloud computing, virtualization at his personal blog, http://nextheader.net.

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam